The scenarios in this series are fictional but grounded in real capabilities and documented risk patterns. They're designed to provoke discussion, not predict specific events.
Domain: Export Controls / Diversion Enforcement
Situation Briefing
It is 02:47 EST on a Tuesday in late spring 2027. An automated alert reaches the on-call duty officer at the Bureau of Industry and Security end-use monitoring desk. The alert is unusual in three ways. It is the first of its kind. It originated not from a human reporter but from a chip. And the chip in question is sitting in a Tehran data center.
The reporting system is the on-chip attestation telemetry mandated by the Chip Security Act, which became operational on advanced compute exports beginning January 1, 2027. Twelve weeks ago, a shipment of 1,400 Blackwell B200 accelerators, configured as 175 eight-GPU server units, cleared U.S. customs en route to a licensed end user in Singapore, a regional cloud provider that has held a green-channel VEU license since 2022. The shipment arrived in Singapore on schedule. The installation reports filed by the end user describe the units as racked, powered, and operating in a Jurong East facility. Those reports are forged. The duty officer's alert says so.
The on-chip telemetry works through a cryptographic attestation protocol. Each chip, on first boot in a new physical environment, performs a handshake with U.S.-controlled root infrastructure that confirms the chip's attestation envelope matches the declared installation site. The handshake is silent, intermittent, and engineered to be difficult to spoof without specialized equipment. Twenty-six of the 175 server units in this shipment, representing 208 of the 1,400 chips, are currently failing the location-match check. The chips believe they are in Tehran. The system believes the chips are right.
By 04:30 EST, the BIS analyst working the alert (a five-year veteran who came up through the Treasury OFAC sanctions evasion desk and joined BIS during the post-Liaw staff buildout) has run the chip serial numbers against the export control reference dataset and confirmed the cryptographic attestations are well-formed. Two senior cryptographers at NIST and a counterpart team at the chip manufacturer's security division have independently verified that the attestations are not the product of a spoofing attack on the attestation protocol itself. The chips are where they say they are. The Singapore installation reports are fabricated.
By 06:00 EST, the chain of custody is partially reconstructed. The shipment landed in Singapore, was warehoused for nine days at a freight-forwarding facility in the Tuas port complex, and was then reconsigned through a paper transaction to a Hong Kong holding company that has appeared on three previous diversion-pattern flags but never as a named party in an enforcement action. From Hong Kong, the units were shipped to a freight forwarder in Dubai under a routing manifest that described them as "industrial computing equipment, telecommunications grade." From Dubai, they crossed land border into Iran. The whole route took nineteen days. The Tehran data center went hot the day after the trucks arrived.
You are the senior advisor to the Director of BIS. At 07:15 EST the Director calls you at home. She wants three things on her desk by close of business: a confirmed read on how many other Chip-Security-Act-compliant shipments in the last twelve weeks might be in similar postures (the answer, by 11:00, is that two other shipments are showing anomalies that warrant a closer look but neither is as clean a hit as this one), a draft of the response options paper for the interagency at 09:00 the following morning, and her recommendation on the one question that has not yet been put on paper. That question is what to do with the fact that "tip of the iceberg," spoken about the diversions documented in the Liaw indictment fifteen months ago, was apparently a literal description and not a rhetorical one.
The Director knows what the previous decade of diversion enforcement looked like. She came up through the ZTE case and worked the Huawei Entity List expansion. She knows how long it took to get the political ground for those actions, how much sanctions evasion still ran around them, and how the documented case files were always a fraction of the working hypothesis. The Liaw indictment in SDNY, the Fortune reporting on the encrypted Signal threads, the year of enforcement actions that followed: all of it lit up the same uncomfortable picture. The first trackable shipment to fail its location check was always going to land. She wants to know whether the chip telling on itself is the alert the regime was designed for, or the test the regime was not.
One additional fact, surfaced at 08:40 by the embassy officer in Abu Dhabi who is read in to the Dubai end of the route. The freight forwarder in question is a tenant of a logistics park that has been informally adjacent to the Stargate UAE compliance dialogue for the last fourteen months. The Emirati side has been quietly cooperative on adjacent diversion questions, but has never been asked, on the record, about this specific node. The embassy officer's read is that asking now will surface either a useful answer or a damaging one, and that the choice between asking through liaison channels and asking through formal demarche will be the choice that determines which.
Decision Point
Option A: Public Disclosure and Sanctions Designation. Disclose the diversion publicly within five business days. Name the freight forwarders, the shell consignees, the Hong Kong holding company, and the data center operator. Use Treasury authority to issue OFAC designations against every identifiable actor in the chain. Add the relevant entities to the BIS Entity List. Brief the press on the on-chip telemetry working as designed. Position the alert as a validation of the Chip Security Act and a deterrent to subsequent diversion attempts. The most visible option. Also the one that burns the intelligence value of the alert before that value has been extracted.
Option B: Quiet Enforcement and Supplier Crackdown. Hold the alert close. Use the chain-of-custody reconstruction to map and roll up the supplier-side network that moved the units through Singapore, Hong Kong, and Dubai. Pursue indictments under seal where possible, in coordination with DOJ and partner-state law enforcement, on a six-to-twelve-month timeline. Quietly pull the VEU status of the Singapore end user. Brief select allies through liaison channels but not publicly. Preserve the on-chip telemetry's deterrent value by not revealing how the alert was generated. The traditional enforcement posture. The one that maximizes the supplier-side rollup at the cost of a deterrent statement.
Option C: Run the Alert as Intelligence Collection. Do nothing visible. Treat the Tehran installation as a passive collection opportunity. The chips continue to phone home; the U.S. intelligence community gets a sustained read on which workloads the Iranian customer is running on the cluster, which adjacent infrastructure the cluster connects to, and which procurement nodes are likely to be used for the next shipment. Use the visibility to identify the broader Iran-aligned procurement network and the customer-side end users. Plan a coordinated enforcement action at the moment the intelligence value plateaus, which is unlikely to be soon. The collection option. Also the one that requires sustaining a deliberate enforcement gap in defiance of the Chip Security Act's plain-language intent.
Option D: Escalate to NSC for Diplomatic Response. Treat the diversion as an Iran-policy event rather than an export-control event. Brief the National Security Council within 24 hours. Frame the alert as actionable intelligence supporting a broader diplomatic push on Iran sanctions evasion, with parallel asks of the UAE, Singapore, and Hong Kong governments. Coordinate with State on a formal demarche to each transit jurisdiction. Make the response a matter of bilateral diplomacy rather than enforcement action. The Iran-frame option. The one that converts an export-control win into a regional policy lift, with the regional policy's costs.
Before you choose, you should walk the chain. The trucks that crossed the Iranian border did not start in Tehran. They started in a Mountain View warehouse. Below is the reconstructed diversion route, node by node. Look at who would have to be flipped, indicted, or pressured at each stop to make the chain unworkable. The disclosure timeline forecloses some of those moves. Read the chain before you set the timeline.
Complicating Factors
The Chip Security Act Was Sold as a Deterrent. The legislative case for H.R. 3447, made on the floor in 2026 and in the committee markups before it, rested on the proposition that visible tracking would deter the kind of diversion the Liaw indictment had exposed. The political theory of the case was that bad actors, knowing chips could phone home, would not divert them. The empirical answer, based on the Tehran installation, is that bad actors will divert them anyway and find out which alerts trigger which responses. The first answer is the one that funded the bill. The second answer is the one that will define the bill in retrospect. The disclosure choice is, in part, a choice about which of those answers the administration owns publicly.
The Supplier Network Is Not Just Diversion. It Is Insurance. The Signal threads surfaced by Fortune in May 2026 described a market in which freight forwarders and shell consignees served multiple customers simultaneously: chips for Chinese end users, chips for Iranian end users, chips for Russian end users, chips for ordinary commercial customers buying from gray-market resellers because the licensed channels were too slow. The networks are professionally indifferent to the end user. They optimize for the cost of moving controlled inventory through chokepoints with low inspection rates. A successful rollup against the Iran branch of this network will not collapse the network. It will reroute it. The supplier crackdown framing in Option B is real, but its half-life is the time it takes a freight forwarder in the Tuas port complex to onboard a new shell.
The Diplomatic Cost Is Borne in Three Capitals. Singapore, Hong Kong, and the UAE each occupy delicate positions on advanced-computing compliance. Singapore has been a model VEU jurisdiction and will respond to a demarche by tightening its end-use auditing, at a regulatory cost it has been willing to bear. Hong Kong's status as a transit jurisdiction for diverted chips is structurally over-determined and politically fraught; a demarche there reaches Beijing as much as it reaches the local administration. The UAE has been spending diplomatic capital on the Stargate UAE compliance dialogue and will read a formal Dubai-facing demarche as either a test of the dialogue's good faith or a punishment for it. The choice between liaison-channel and demarche-channel asks is, at each capital, a different choice. There is no single posture that calibrates well to all three simultaneously.
The Iranian End User Will Adapt. The Tehran cluster, once it learns it is visible, will be relocated, partitioned, or air-gapped within a defined window. The on-chip attestation can be defeated, partially, by sustained operation inside a Faraday-shielded environment with controlled power conditioning. The defeat is not perfect and the engineering cost is meaningful, but the cost is bearable for a sovereign customer. The window between Iran learning the chips are talking and Iran neutralizing the talk is, by the chip manufacturer's security team's estimate, between two and seven weeks. Whatever the intelligence value of the open channel is, it is a wasting asset. Option C runs on a clock the U.S. does not fully control.
The Stargate UAE Adjacency Is the Awkward Part. The freight forwarder in Dubai is not Stargate UAE. It is a tenant of a logistics park three kilometers from a facility associated with the Stargate UAE compliance dialogue. The Emirati side has been a partner on the compute side and has been quiet on the diversion side because no one has formally asked. A public disclosure that names the Dubai node will read in Abu Dhabi as a breach of the unspoken understanding that diversion enforcement and Stargate UAE cooperation occupy separate tracks. A quiet liaison ask will preserve the separation at the cost of waiting. The longer the wait, the more chips clear the same node.
Allies Will Notice the Alert Worked. The Five Eyes partners, the EU export control coordination, and the Japanese and Korean compliance authorities will all want to know how the alert was generated, how durable the protocol is against defeat, and what their version of the same capability looks like. The first public disclosure of an on-chip-telemetry-driven enforcement action is a global signal. It is a signal to adversaries about a capability that, to date, they could only model from the legislative record. It is a signal to allies about a capability they will want either deployed in their own export regimes or, in some cases, kept off their own export regimes. The disclosure timing is also a diplomatic timing question.
Diagnostic: What Counts as Disclosure?
The doctrinal question underneath the four options is what disclosure actually means in the post-Chip-Security-Act regime. Disclosure is not binary. It has at least four dimensions: whether the U.S. publicly confirms a diversion occurred, whether it names the actors in the chain, whether it explains how the alert was generated, and whether it reveals the limits of the capability. Each dimension has a different cost. A response that gets one dimension right can fail badly on another. The exercise below asks you to weigh intelligence value against enforcement value for the four most relevant disclosure choices, and to watch how the answer shifts as the weight shifts. The Director will want this calculus on the back of her recommendation memo. It is the work that has to be in the response, not just the option.
Discussion Questions
What Was the Chip Security Act For? The bill was sold to two audiences simultaneously: a deterrence audience that wanted bad actors to know chips could be tracked, and a collection audience that wanted to know when bad actors moved them anyway. The two purposes are partially compatible but not fully. A disclosure regime that maximizes deterrence sacrifices collection. A regime that maximizes collection sacrifices deterrence. The first major enforcement action will fix the public read on which purpose dominates. Decide now whether you want that read to be deterrence-forward or collection-forward, because the next action will inherit the precedent.
Who Owns the First Public Word? If BIS does not disclose, someone else will. The leak is a question of when, not whether. The chip-side telemetry produces a forensic record. The forensic record is shared, eventually, with the chip manufacturer's security team, with NIST, with at least two contractor analysts at FFRDCs, and with the State Department officer who handles the related demarches. A leak from any of those nodes will land in a reporter's inbox on a timeline the agency does not control. The choice is between owning the disclosure narrative and reacting to it. Plan for the leak even in scenarios where the agency intends to disclose. The leak will usually beat the press release by between two days and three weeks.
What Does Iran Hear? The Iranian customer hears one set of things from a public sanctions designation, another from a quiet operational disruption, and a third from sustained silence. Each soundtrack drives a different operational response. The customer's reaction shapes the next month's collection environment, the next quarter's procurement strategy, and the symbolic posture the Iranian government adopts about U.S. export controls in the next round of regional negotiations. The export control choice is also an Iran-signaling choice. The two cannot be separated cleanly.
How Will the Bill's Sponsors Respond? The bipartisan coalition that moved H.R. 3447 includes members who staked political capital on the deterrence framing and members who staked it on the collection framing. The first major use of the bill's authorities will activate both wings of that coalition. A disclosure that prioritizes collection will hear from the deterrence members. A disclosure that prioritizes deterrence will hear from the collection members. Both sets of members have oversight tools. The interagency response posture is also a congressional management problem. Read in the relevant staff before the agency acts.
Where Does the Liability Land? The Singapore end user filed forged installation reports. The forgery is, under U.S. export control law, a serious offense by an entity that until last week held VEU status. The question of whether the forgery was the end user's own work, the work of a compromised insider, or the work of the supplier network operating under the end user's name has consequences for both the response and the broader VEU regime. If a model VEU jurisdiction's flagship end user was compromised, the VEU framework's compliance assumptions are weaker than the agency has been representing. Decide whether the response will surface that weakness publicly, sit on it pending further investigation, or treat it as a one-off.
Anna's Read
The thing that keeps me up on this one is the gap between what the chip can tell you and what the institution can hear. The on-chip attestation works. It worked exactly as the engineers said it would. The capability that decades of export control policy could only dream of is sitting on the duty officer's desk, calling out diverted hardware in close to real time. The question of what to do with it is not an engineering question. It is an institutional question. And the institution that has to answer it is one whose enforcement reflexes were calibrated against a world where the chips could not talk.
Some framings to set aside. This is not principally an Iran problem. The Iranian end user is the immediate beneficiary, but the network that moved the chips is the durable adversary. A response that frames the event around Iran will produce an Iran-shaped response and leave the network intact to serve the next customer. The Liaw indictment was framed around China and the resulting enforcement actions left the network mostly intact to serve the next customer too. The pattern is the network, not the destination. Treat the destination as one data point.
It is also not, on the merits, a clean validation of the Chip Security Act. The bill worked as written. It worked because the diverters apparently did not believe the telemetry was operational at the scale the bill claimed, or believed the protocol could be defeated at the receiving end, or decided the value of the cluster justified the operational risk of the alert. Each of those beliefs is a finding about how adversaries read U.S. export control regimes. The finding is more useful than the deterrence headline. The headline will get written either way.
My recommendation, on balance, is B with elements of C. Quiet enforcement, paired with a deliberate intelligence-collection window that the agency commits to in writing, with an end date. Use the first six weeks to map the supplier-side network as completely as the open channel allows. Pursue sealed indictments and quiet VEU-status changes in parallel. At week six (or sooner, if the Iranian side starts hardening the installation), pivot to a coordinated public action: the Entity List additions, the OFAC designations, the unsealed indictments where possible, and a controlled press posture that confirms the on-chip telemetry generated the alert without revealing the engineering details that would help adversaries defeat it. The intelligence collection has a half-life. The enforcement signal has compound interest. Sequence them so the collection runs first and the signal lands second.
On the diplomatic track, the three transit capitals require three different conversations. Singapore should hear, through liaison channels within seventy-two hours, that the agency has confirmed a diversion through a Singapore-licensed VEU and intends to revisit the VEU. Singapore will move on its own once it knows. Hong Kong should hear nothing for now; a demarche on Hong Kong reaches Beijing on a timeline that is not in the agency's interest until the supplier-side rollup is further along. The UAE conversation is the hardest. It should happen, in person, in Abu Dhabi, at the level of the BIS Director and the relevant Emirati counterpart, within ten business days. The conversation should be framed not as an accusation but as a notification of an enforcement matter that touches a Dubai node the U.S. believes the UAE will want to handle quietly before it becomes public. The Stargate UAE dialogue is a real asset. It is worth more than the symbolic value of a public Dubai-facing designation. Use the dialogue.
The disclosure piece, when it comes, should be careful about what it confirms and what it does not. Confirm that a diversion was detected and disrupted. Confirm that the Chip Security Act's authorities were used. Decline to confirm the specific technical mechanism by which the chips were located. Acknowledge that the supplier-side network reached across multiple transit jurisdictions and that partner cooperation was material to the enforcement action. The press will pattern-match against the Liaw indictment and write the story that way; the agency should not fight that frame, because the frame is correct in substance. The Liaw network and the Tehran network are likely overlapping. The agency should let the press get there on its own and decline to confirm what it does not need to confirm.
The lesson that will outlast this incident is about the difference between a capability and a doctrine. The U.S. now has, for the first time in the history of dual-use export control, a chip-side capability to verify end use after the fact, in close to real time, at scale. The doctrine for using that capability has not been written. The four options on the Director's desk are sketches of four different doctrines. Whichever sketch the agency picks for this case will harden into precedent within two enforcement cycles. The disclosure framing of this case is the disclosure framing of the next ten. Write it for that horizon. Not for the headlines this week.
A note on the analyst. The five-year veteran who pulled the alert at 02:47 is the kind of officer the agency built the Chip Security Act for: trained to read attestation telemetry, fluent in the sanctions-evasion patterns that produced the diversion network, and senior enough to know what to escalate and what to sit on. She will be told, this week, that she has done excellent work and that the matter is being handled at the principals level. She will not be told what the principals decide, or why. That is the agency the principals work in. It is also the agency where the next alert will land. The principals should remember that. The doctrine they write this week will be read by the next analyst on the next desk on the next morning. The doctrine should be one she can act on.
Make the calls. Run the source for six weeks. Then land the action.
Related Briefings
Anna R. Dudley writes on national security, AI policy, and the institutional structures absorbing the costs of AI deployment faster than they are being redesigned. Red Team Scenarios is the series for the call you don't want to take. Subscribe at annardudley.substack.com.